Snort Inline?

Is anyone successfully running an inline deployment of Snort on FreeBSD? If so, please email me: richard at taosecurity dot com. This guide makes it look easy, but I've tried multiple variations (bridging, routing, etc.) with Snort 2.3.3 on FreeBSD 5.4 REL and nothing works completely. Thank you.

Update: I got it working. snort-2.3.3.tar.gz doesn't work; snort_inline-2.3.0-RC1.tar.gz does. Who knew.

Comments

Anonymous said…
Richard:

Don't know if you are using the ports version of snort 2.3.3 (inline has been included in snort src since 2.3.0RC1) or not. However, the --enable-inline and --enable-ipfw switches have to be set during compile time; the ports version doesn't have this. Additionally, the README.INLINE in snort 2.3.3 src also mentions the need for libnet (1.0.x) to be installed. Hope this helps!
Hello,

I installed Snort 2.3.3 from source. I have PCRE and Libnet 1.0.2a on the box. Still no go.
Anonymous said…
Yeah, we need to backport divert socket support into the main branch of Snort. One step at a time...

-Marty

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics